national security – Gigaomhttp://gigaom.com
The industry leader in emerging technology researchMon, 16 Oct 2017 14:58:55 +0000en-UShourly1Proposed Chinese security law could mean tough rules for tech companieshttp://gigaom.com/2015/02/27/proposed-chinese-security-law-could-mean-tough-rules-for-tech-companies/
Fri, 27 Feb 2015 20:20:54 +0000http://gigaom.com/?p=917779China apparently wants to one-up the U.S. and the U.K. when it comes to urging technology companies to install security backdoors and break their encrypted documents and user communications in the name of national security.

Reuters reported on Friday that a newly proposed Chinese counterterrorism law calls for technology companies to turn over encryption keys to the Chinese government, allow for ways to bypass security mechanisms in their products, require companies to store user data and maintain servers in China, and remove any content that the country deems supportive of terrorists.

China is expected to adopt the draft legislation in the “coming weeks or months,” according to the report. The proposed law follows a set of banking security rules that the Chinese government adopted in late 2014 that requires companies that sell both software and hardware to Chinese financial institutions to place security backdoors in their products, hand over source code and comply with audits.

The Reuters report cited several anonymous executives of U.S. technology companies who said they are more worried about this newly proposed law than the banking rules because of the connection to national security. Supposedly, the laws are worded in a way as to be open to interpretation, especially in regards to having to comply with Chinese law enforcement, which has some executives fearful of “steep penalties or jail time for non-compliance.”

The newly proposed law follows recent news that China has been peeved by U.S. intelligence-gathering operations revealed by the leaked Edward Snowden NSA documents and allegations by the U.S. government that members of the China’s People’s Liberation Army used cyber espionage tactics to steal business trade secrets. China apparently doesn’t take those allegations too kindly and instead the country claims that products sold in China by U.S. technology companies pose security concerns.

If there’s one thing both China, the U.S. and the U.K. can all agree upon, however, is that companies should not be using encrypted technology to mask user communications. If companies do use the security technology, governments want those companies to hand over their encryption keys in case law enforcement or government investigations warrant it.

Attorney General Eric Holder and FBI Director James Comey have made public their displeasure with how encryption supposedly makes it easier to hide the activities of criminals. However, a recently leaked document from the Edward Snowden NSA data dump showed that some U.S. officials believe encryption is the “[b]est defense to protect data.”

]]>Tech and media firms join Twitter in key test of FBI gag ordershttp://gigaom.com/2015/02/18/tech-and-media-firms-join-twitter-in-key-test-of-fbi-gag-orders/
Wed, 18 Feb 2015 16:07:53 +0000http://gigaom.com/?p=915474A bitter fight between the Justice Department and Silicon Valley is expanding as a diverse group of companies have lined up behind Twitter in a case that will help determine the limits of free speech in the age of Edward Snowden.

On Tuesday, groups ranging from BuzzFeed to Wikipedia to the Guardian filed friend-of-the-court briefs (see below) to support a challenge by Twitter to Patriot Act gag orders. Two other large companies, which are only allowed to refer to themselves as “Corporations 1 & 2,” also filed briefs.

The case, which began when Twitter sued the Justice Department in October, turns on how companies may use so-called “transparency reports” to tell users about government requests for their data.

Twitter claims it has a right under the First Amendment to say specifically how often it receives National Security Letters, while the government counters that companies can only do so in broad strokes lest they jeopardize national security.

In recent years, the FBI has made extensive use of National Security Letters to obtain information about subscribers, while also attaching gag orders to the letters that forbid companies from revealing they have even received a letter in the first place. The Justice Department has issued hundreds or thousands of such letters to companies like Google, Facebook and AT&T.

In its lawsuit, Twitter claims it is an illegal prior restraint of free speech for the government to bar companies from even disclosing that they have received a letter. A group of media companies has now voiced support for that argument:

“Twitter’s proposed transparency report is no less entitled to free speech protections than ‘literature’ or ‘movies,'” said the brief filed on behalf of BuzzFeed, NPR, the Washington Post, PEN America, the Guardian and First Look Media.

The brief reflects the media’s newfound legal interest into what has largely been a tech industry fight, but also shows how digital media companies like BuzzFeed are finally taking up the legal fight for free speech, a burden that has long been borne almost entirely by old-line newspaper companies.

“Corporations 1 & 2”

Meanwhile, a separate filing shows that a phone and internet company are also weighing in on the Twitter case, but in the guise of “Corporations 1 & 2.” The companies (which are likely Verizon and Google or Yahoo) are using the pseudonyms at the direction of a judge, and are muzzled in part because they are already before an appeals court in another national security case over the right to disclose government demands.

The right of internet companies to discuss security letters has become more pressing since 2013 , when leaked documents from Edward Snowden revealed massive surveillance operations by the U.S. government. Those operations rely on obtaining information from tech and phone companies, and have been facilitated by the legal process governing Patriot Act letters, as well as a related process for NSA demands.

In response, companies like Twitter have come to claim that free speech and the public interest give them the freedom to disclose how many NSA and FBI letters they receive in the first place. The companies stress they are not arguing for the right to disclose the contents of the letters, since doing so could jeopardize ongoing investigations, but only the existence of the letters.

The docket also shows that a group of other entities — the Wikimedia Foundation, CloudFlare, Sonic, Wickr, Credo Mobile and Automattic (publisher of WordPress.com) — filed a brief in support of Twitter.

Here’s a copy of the media companies’ filing with some of the key parts underlined. Note that a key part of the argument turns on whether the federal judge has authority to hear the case in the first place (as the companies argue) or if the case belongs instead in a controversial secret court (as the Justice Department claims).

This article was updated at 12:35pm ET to note that Automatic is the publisher of WordPress.com; an earlier version said “WordPress” (which refers to the software used by the company, WordPress.com). This article was also updated at 1:40pm on Thursday to clarify that it was the Wikimedia Foundation (not Wikipedia) that was on the amicus brief.

]]>Court backs NSA on internet spying as Obama ducks call for reformhttp://gigaom.com/2015/02/11/court-backs-nsa-on-internet-spying-as-obama-ducks-call-for-reform/
http://gigaom.com/2015/02/11/court-backs-nsa-on-internet-spying-as-obama-ducks-call-for-reform/#commentsWed, 11 Feb 2015 14:53:51 +0000http://gigaom.com/?p=914126It’s been a lousy week so far for opponents of U.S. spy tactics: a federal judge shut down a long-running challenge to the NSA’s mass collection of customer internet data, while President Obama brushed off a call to do something about the sprawl of government surveillance.

The court case in question, Jewel v. NSA, involves a romance writer in California who argued that AT&T should have obtained a warrant before using a secret room to forward the internet traffic of its customers to intelligence agencies. The case, filed in 2008, was one of the first to challenge the U.S. collection of metadata, and shed light on the close collaboration between telco companies and the government — a collaboration that has gained considerably more attention in the wake of the Edward Snowden leaks.

But on Tuesday, U.S. District Judge Jeffrey White ruled that Carolyn Jewel and other plaintiffs had failed to show they had the requisite legal standing to challenge the order.

And in a double defeat for the Electronic Frontier Foundation and others who saw the case as a tool for surveillance reform, Judge White added that the need to protect state secrets precluded him from ruling on the issue, even if Jewel has standing in the first place.

Meanwhile, President Obama appears to be reneging on his earlier pledges to rein in the controversial metadata collections program, which the Justice Department has said is necessary to protect Americans, but which critics say results in the government collecting too much data for too long.

The Obama dodge came during an interview with BuzzFeed this week, in which the President spoke at length about topics like same-sex marriage, Russia and Hillary Clinton. When it came to the topic of metadata, however, Obama was tight-lipped:

In response to a question of why he didn’t use his executive power to restrict the scope of surveillance with a “stroke of the pen,” Obama just said that it was an issue for Congress.

So all in all, this week’s developments did little to assuage those who fear we’re creating a surveillance state. Meanwhile, the EFF also filed a new legal challenge to the Justice Department’s use of planes to suck cell phone signals over U.S. cities. Time to break out the tinfoil hat?

]]>http://gigaom.com/2015/02/11/court-backs-nsa-on-internet-spying-as-obama-ducks-call-for-reform/feed/2DARPA shows off its tech for indexing the deep webhttp://gigaom.com/2015/02/09/darpa-shows-off-its-tech-for-indexing-the-deep-web/
http://gigaom.com/2015/02/09/darpa-shows-off-its-tech-for-indexing-the-deep-web/#commentsMon, 09 Feb 2015 20:54:38 +0000http://gigaom.com/?p=913597On Sunday night, 60 Minutes aired a segment about the Defense Advanced Research Projects Agency, or DARPA, and its attempts to secure the internet from hackers, human traffickers and other criminals. One of the DARPA efforts the program highlighted — and did so even more in an unaired segment for the web — is a project called Memex, which is essentially a search engine for the deep web and the dark web.

The technology looks pretty amazing in a number of ways, including its scale, its speed and its interface. Of course, it’s also tackling a horrible and often under-appreciated problem, which is the illegal trafficking of women and girls as sex objects. Asked why DARPA is concerned with sex trafficking, Memex inventor Chris White explained that people willing to take part in that endeavor are often more likely to take part in other endeavors — including things like weapons or drug trafficking — that could have national security implications.

The work DARPA is doing is part of a larger effort, which also includes tech companies like Google and Palantir, to identify and map instances of human trafficking around the world. It’s one of many problems that has existed for a long time, but that the internet has made easier to engage in. However, these efforts and others also show how the internet is making it easier for law-enforcement agencies to track and prosecute these crimes, provided the right analytical techniques are in place.

The 60 Minutes segment also featured DARPA innovation head Dan Kaufman, who spoke about web security at our Structure conference last June.

]]>http://gigaom.com/2015/02/09/darpa-shows-off-its-tech-for-indexing-the-deep-web/feed/3Report: No real substitute for NSA’s bulk data collectionhttp://gigaom.com/2015/01/16/report-no-real-substitute-for-nsas-bulk-data-collection/
http://gigaom.com/2015/01/16/report-no-real-substitute-for-nsas-bulk-data-collection/#commentsFri, 16 Jan 2015 21:57:33 +0000http://gigaom.com/?p=907264A new report from the National Research Council concludes that untargeted, or bulk, data collection remains probably the best method for fulfilling the National Security Agency’s mission. However, the report’s authors note, there are measures that can be taken to make that practice more transparent and less susceptible to agency abuse.

The 80-plus-page report, which was written in response to a presidential directive to investigate alternatives to bulk data collection by the intelligence community, lays out various possible methods of targeting data collection to specific individuals, groups or behavior patterns –ranging from machine learning to real-time analysis — but seems to come down on the side of the status quo. The only way to investigate newly identified suspects or new information is to have a large database that might already include relevant data, the report explained.

The report does offer suggestions for improving public trust in the process, primarily focused on improving the sanctity of the bulk datastore and how that data is accessed. It suggests a combination of automated and manual procedures for regulating who can access what data, what types of queries can be run in what situations, and auditing all database-query activity.

In addition to improving on existing protocols, the report suggests that new avenues of research for automating the data privacy of U.S. citizens might include advanced encryption techniques, and how to enable lawyers or other non-technical personnel to program policies that govern data usage. In May, we covered some Microsoft research into the latter possibility.

One alternative to bulk collection that the report suggests is to rely on businesses to store customer data and supply it as needed. This way the NSA isn’t technically collecting or storing data, which could mitigate citizen fears over mass government surveillance. Of course, the report notes, those companies might have strong incentives not to comply with the governments — something we’ve already seen from certain companies following accusations that they were in cahoots with the NSA.

However, the report does acknowledge some fundamental flaws with any attempts to improve NSA protocol. A particularly troubling one is the varying terminology different analysts, agencies and the FISC court use to describe the same things — a situation that led to NSA analysts accessing domestic telephone metadata “for several years in some instances.” Another tricky consideration is how to regulate data usage once it has been disseminated to other agencies and ported onto commercial operating systems and data-analysis software, and mixed with other data sources.

There’s also the fact that the report’s authors were only presented with three unclassified use cases to analyze for possible alternative to bulk data collection. “[I]t was told this that this is not a complete set, so its search for collection alternatives was limited,” the report states.

The report expressly avoids taking any position on whether the NSA’s data practices are sound public policy, and it avoids discussion of how some data is collected in the first place. Especially in the case of web data, where documents released by Edward Snowden show the agency essentially hacking into corporate systems and networks, it’s the methods of collection that really have some people upset.

The Washington Post’s slide purporting to show NSA hacking.

]]>http://gigaom.com/2015/01/16/report-no-real-substitute-for-nsas-bulk-data-collection/feed/1Image recognition: Consumer products will drive enterprise breakthroughshttp://gigaom.com/report/image-recognition-consumer-products-will-drive-enterprise-breakthroughs/
http://gigaom.com/report/image-recognition-consumer-products-will-drive-enterprise-breakthroughs/#respondWed, 04 Jun 2014 12:32:17 +0000http://research.gigaom.com/?post_type=go-report&p=230717/Image recognition has come a long way, even since we published our report “How apps can solve photo management” just a year ago. At this point major imaging, storage, and social media vendors like Dropbox, Yahoo, Facebook, Google, Pinterest, and Shutterfly have all acquired image-recognition startups, and they are pursuing the holy grail of understanding what is shown in a consumer’s photo or video so that this imagery can be automatically categorized, retrieved, equipped with content-sensitive links, or otherwise leveraged.

Today’s consumers need the ability to locate relevant photos in their ever-expanding collections. Respondents in our survey assessed solutions for these needs to be valuable but mostly unavailable in the marketplace. While some image-recognition solutions cater to these consumer needs, others focus on the needs of advertisers and ecommerce vendors, who benefit from providing suggestions and links that are aware of image content, similar to how they have also leveraged the analysis of social media texts for advertising and sales purposes. We believe the consumer-driven needs, coupled with the resources and motivation of the advertising-focused social media companies, will provide the image-recognition cross-market breakthroughs that requirements in asset management and stock photos, retail, health care, manufacturing and robotics, and security — or academia — have failed to deliver.

Those consumer offerings will build on academic deep-learning technology, which uses neural networks and massive computing power to create and refine image-recognition algorithms. Image recognition is not yet at the level of voice recognition or OCR and its accuracy varies widely, but given the fast progress, we expect it to get there for most use cases in the next 12 to 36 months. Non-consumer sectors should monitor and adopt the technologies driven by these innovations.

Further progress around image recognition will come from:

• Developing training sets for more classification categories

• Leveraging additional data sources

• Optimizing photos prior to image recognition

• Expanding beyond identifying objects or people

We believe that image recognition will have a considerable impact on many markets, in particular:

Photo services. Image recognition benefits the photo-output industry, as it enables consumers, who are increasingly overwhelmed by the sheer number of their dispersed photos, to still find the pictures worth printing. It also provides opportunities for newcomers in the micro or UGC stock-photo markets to compete with incumbents who still rely on traditional photo-organizing methods.

Web and mobile advertising and ecommerce. With consumers paying attention to UGC photos, image recognition enables advertisers and ecommerce providers to place content-sensitive links on or near photos.

Enterprise asset management. Image recognition provides enterprises the tools to track the use of their branded assets in social media so that they can determine the effectiveness of their campaigns or any misuse of their visual assets.

Feature image courtesy Flickr user Lubomir Panak

]]>http://gigaom.com/report/image-recognition-consumer-products-will-drive-enterprise-breakthroughs/feed/0Good news: Google stats show government demands for user accounts have stopped risinghttp://gigaom.com/2014/03/27/good-news-google-stats-show-government-demands-for-user-accounts-has-stopped-rising/
Thu, 27 Mar 2014 15:13:35 +0000http://gigaom.com/?p=828706Google(s goog) published a ninth update to its semi-annual Transparency Report on Thursday and, for once, there’s a flicker of good news for those concerned about the growth of government surveillance. Unlike previous updates, which showed rapid jumps in requests, the new update shows that the number of Google accounts subject to government demands for users’ identities held steady at about 42,000 requests compared to a previous 6-month period.

Civil libertarians are hardly going to be turning cartwheels over those numbers since, as Google points out in a blog post, the overall number of law enforcement demands has risen an alarming 120 percent in the last four years. But the fact that the number of requests has plateaued, even as the number of Google users grows, suggests that law enforcement agencies might becoming less cavalier about demanding companies provide the identify of their users.

Google’s latest transparency report numbers cover July to December 2013, a period that coincides with a series of bombshell disclosures about government surveillance by former NSA contractor Edward Snowden. The disclosures, which revealed how the NSA squeezes tech companies to share information about their users, triggered a national debate over surveillance and also led to a flurry of legal action from technology and telephone companies.

Other numbers from Google’s latest report shows that 18,254 of the 42,648 user accounts subject to law enforcement requests belonged to users located in the United States. The accounts represent subscriber services like Gmail or Youtube. U.S. users were by far subjected to the highest number of requests, followed by India, France, Germany and the U.K (here’s the full list).

Here’s a graph that shows the overall trend in government requests for user data:

The new figures also show that, while the number of user accounts subject to identity demands is almost unchanged (42,500 in the first half of 2013 versus 42,648 in the second), the overall number of demands rose slightly from 25,879 to 27,477.

The new update is just one part of Google’s Transparency Report initiative, whichalso separate updates for government demands to remove content from Google and for copyright takedowns. Recently, other big tech companies like Facebook(s FB) and Twitter(s twtr) have begun to follow Google’s example of publishing these reports.

Google’s reports also break out data for the different types of law enforcement requests the company receives, such as subpoenas, search warrants and national security letters. Recent, Google and other tech companies also obtained the right to publish the number of secret NSA letters they receive.

]]>NSA documents describe botnet-style automated mass malware infectionhttp://gigaom.com/2014/03/12/nsa-documents-describe-botnet-style-automated-mass-malware-infection/
Wed, 12 Mar 2014 17:41:26 +0000http://gigaom.com/?p=824270The Intercept has published a new NSA story, detailing how the intelligence agency and its partners planned – perhaps successfully – to implant malware into millions of computers and routers. This would enable spying on users in a way that would bypass the encryption in the web services they use, because it gives direct access to their computers rather than just scooping up web traffic as it passes through the internet.

However, the scary thing about the latest revelations is how automated this activity became, and maybe still is. Essentially, the NSA seems to have built a botnet, which is the kind of activity you’d more normally associate with criminal gangs.

Scaling up

The article describes a system called TURBINE that, according to documents leaked by Snowden, can “allow the current implant network to scale to large size (millions of implants) by creating a system that does automated control implants by groups instead of individually.” That’s a far cry from the 100-150 implants the NSA apparently had a decade back.

This is worrisome partly because of the scale of the operation – it’s not exactly targeted surveillance – and partly because of the risks it would create. As F-Secure chief research officer Mikko Hypponen said in the article, such a widespread malware deployment would “potentially create new vulnerabilities in these systems, making them more vulnerable for attacks by third parties.”

As in the case of the NSA’s attempts to subvert the security of the internet by messing around with the standards-setting process, this could well be a case of the agency making innocent people less secure. This quote from the documents is certainly enough to make me nervous:

Expert System (resource and operations manager) is like the brain [;] it manages the applications and functions of implants.
– Decides which tools should be provided to a given implant and executes the rules on how it should be used.
– Decisions of the expert system are passed to the command and control modules, which execute the decision against the appropriate set of implants.

That’s a pretty good description of how a botnet is run, as is this pitch: “It will increase the current capability to deploy and manage hundreds of Computer Network Exploitation (CNE) and Computer Network Attack (CAN) implants to potentially millions of implants.”

As a side note, one of the documents describes a program called QUANTUMBOT that hijacks actual criminals’ botnets, which must be jolly convenient.

“The new hotness”

The piece also includes other gems, such as a reference to a post entitled “I hunt sys admins”. This seems to fall into the context of attacks such as the Belgacom hack, where GCHQ duped those telecoms workers with bogus LinkedIn pages that infected their computers. With this technique, the fake page arrives at the user’s computer faster than the real thing, thanks to the agencies’ placing of sensors at various points on the internet backbone. According to the article, spoofed Facebook(s fb) pages also serve as a vector for this kind of attack.

One document points out that this sort of “Quantum” attack — run from friendly facilities such as those at Menwith Hill in the U.K. and Misawa in Japan — was becoming more valuable as people became more wary of old-fashioned spam emails with dodgy links. It refers to Quantum as “the new hotness.”

The documents also describe router implants that let the spooks spy on traffic sent through Virtual Private Networks, or VPNs. There are implants for tapping into into webcams (GUMFISH); microphones (CAPTIVATEDAUDIENCE); VoIP traffic (HAMMERCHANT, which should be a Gregorian metal band); keystrokes (GROK, which I feel lacks flair), browser histories (FOGGYBOTTOM, no comment); and removable media (SALVAGERABBIT).

Cat fans may be disturbed to hear the NSA also has an analytic technique called DRAGGABLEKITTEN.

According to The Intercept, TURBINE has been up and running “in some capacity” since the middle of 2010. Is it still going? The NSA told the publication in a statement that, as President Obama promised a few months ago, “signals intelligence shall be collected exclusively where there is a foreign intelligence or counterintelligence purpose to support national and departmental missions, and not for any other purposes.”

Personally, I would seize on the word “shall” there, much as people highlighted the way the White House refused to use the past tense when commenting on the bugging of German Chancellor Merkel’s telephone — saying what you are doing and will do is not the same as saying what you have done.

Either way, the documents describe a “more aggressive approach” to signals intelligence that seems to blur the lines between mass and targeted surveillance, and – tactically speaking at least – between our intelligence agencies and the common “cybercriminal.”

]]>Verizon’s first transparency report sheds no light on NSA data collectionhttp://gigaom.com/2014/01/22/verizons-first-transparency-report-sheds-no-light-on-nsa-data-collection/
http://gigaom.com/2014/01/22/verizons-first-transparency-report-sheds-no-light-on-nsa-data-collection/#commentsWed, 22 Jan 2014 22:30:33 +0000http://gigaom.com/?p=804660Verizon(s vz) promised back in December it would give the public a glimpse behind the curtain on its dealings with government information requests and, as promised, it published its first transparency report on Wednesday. The report details the number of subpoenas, wiretap requests and warrants Verizon received last year, but anyone hoping to get insight into Verizon’s cooperation with NSA will be sorely disappointed.

The closest Verizon got was to reveal that it had received between 1,000 and 1,999 national security letters (NSLs) from the FBI. NSLs are requests for specific subscriber data pertaining to an ongoing terrorism or national security investigation, and they don’t need the signature of a judge. But they’re not the same things as FISA orders.

Verizon isn’t being cagey. Everyone in the tech industry is under a similar gag order when it comes to FISA and the government’s secretive spy courts. Google(s goog), Facebook(s fb), Microsoft(s msft), Yahoo(s yhoo) and others are pleading with the government to allow them to release more data on their cooperation with the NSA and other agencies. In a blog post today, Verizon EVP of Public Policy and General Counsel Randal Milch joined in on the call for the government to be more transparent on the information it is demanding from the telecom and internet industries.

Still, the information Verizon did reveal in its report was interesting. The greatest number of (non-FISA) requests it received came in the form of law enforcement subpoenas for subscriber information. It processed 164,184 of those subpoenas in 2013. It received 70,665 court orders to provide subscriber historical subscriber data or real-time info via pen registers or trap-and-traces, as well as 36,696 warrants mostly for stored content or location information.

Verizon received 1,496 requests for wire taps on phone lines, which allow law enforcement to listen directly to conversations. The carrier also enumerated the information requests it received from international law enforcements agencies for data. The most came from Germany with 2,996 requests, followed by France with 1,347.

]]>http://gigaom.com/2014/01/22/verizons-first-transparency-report-sheds-no-light-on-nsa-data-collection/feed/1NSA surveillance blowback could hit marketershttp://gigaom.com/2013/12/19/nsa-surveillance-blowback-could-hit-marketers/
Thu, 19 Dec 2013 20:32:49 +0000http://research.gigaom.com/?p=209869The revelations about the scope and scale of the NSA’s cyber-surveillance has already been bad for business, with the biggest impact falling on U.S. technology providers and cloud data services. But one of the less-discussed disclosures — that the agency taps into commercial cookies to track individuals’ web habits — has the potential to spread the pain farther, by drawing attention, as David Meyer noted in a post on GigaOM last week, to the very thin and fuzzy line separating commercial and government surveillance.

Yesterday, the Senate Commerce Committee released a pretty scathing report on data brokers and the use of the information they gather by marketers:

Data brokers collect a huge volume of detailed information on hundreds of millions of consumers. Information data brokers collect includes consumers’ personal characteristics and preferences as well as health and financial information. Beyond publicly available information such as home addresses and phone numbers, data brokers maintain data as specific as whether consumers view a high volume of YouTube videos, the type of car they drive, ailments they may have such as depression or diabetes, whether they are a hunter, what types of pets they have; or whether they have purchased a particular shampoo product in the last six months [snip];

Data brokers operate behind a veil of secrecy. Data brokers typically amass data without direct interaction with consumers, and a number of the queried brokers perpetuate this secrecy by contractually limiting customers from disclosing their data sources. Three of the largest companies – Acxiom, Experian, and Epsilon – to date have
been similarly secretive with the Committee with respect to their practices, refusing to identify the specific sources of their data or the customers who purchase it. Further, the respondent companies’ voluntary policies vary widely regarding consumer access and correction rights regarding their own data – from virtually no rights to the more fulsome policy reflected in the new access and correction database developed by Acxiom.

In case anyone missed the connection, committee chairman Sen. Jay Rockefeller (D-WV) made it explicit at a hearing to discuss the report, calling consumer tracking by data brokers worse than what the NSA does.

“The NSA is so secure in its protection of privacy as compared to this group that we’re talking to, these data brokers,” he said. “It’s not even close.”

The way the two collect a lot of their information is pretty close, though. A story in the Washington Post last week detailing the NSA’s “piggybacking” onto commercial cookies included the following slide, taken from an NSA presentation:

Here’s how the Post describes it:

Google assigns a unique PREF cookie anytime someone’s browser makes a connection to any of the company’s Web properties or services…That PREF cookie is specifically mentioned in an internal NSA slide, which reference the NSA using GooglePREFID, their shorthand for the unique numeric identifier contained within Google’s PREF cookie. Special Source Operations (SSO) is an NSA division that works with private companies to scoop up data as it flows over the Internet’s backbone and from technology companies’ own systems. The slide indicates that SSO was sharing information containing “logins, cookies, and GooglePREFID” with another NSA division called Tailored Access Operations, which engages in offensive hacking operations. SSO also shares the information with the British intelligence agency GCHQ.

The cookie disclosure, along with the heightened sensitivity over digital surveillance brought on by the broader revelations about NSA spying, can only strengthen the hand of anyone wanting to impose new restrictions on commercial data collection, and over how those data are used and by whom. That could end up touching a lot broader swathe of the economy that merely the technology companies that have been impacted so far.